redline | aec980989772ede0dc405ab1f0cc49a0246daaa765a6edf93a54c8e146894546 | Triage

Submit
Reports

Overview

overview

Static

static

8254bad320...b3.exe

windows7_x64

8254bad320...b3.exe

windows10_x64

Sharing

General

Target

8254bad320e6efd4f780285492d5a5b3.exe
Size

337KB
Sample

210628-r6f3yht8q2
MD5

8254bad320e6efd4f780285492d5a5b3
SHA1

2a4f00307de0719241e47e5aa3cb8ed4aeda3f51
SHA256

aec980989772ede0dc405ab1f0cc49a0246daaa765a6edf93a54c8e146894546
SHA512

dd9deae7bae40a4d04267fcb2616e8f6e89686149c3e38e3ba9af24b6d5243e935270a3be82bcc4415c18b0e926d3a46ba57d6fa642426ecd37746ed3cf7e1ce

Score

10^/10

redline smokeloader sew backdoor bootkit discovery infostealer persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

8254bad320e6efd4f780285492d5a5b3.exe

Resource

win7v20210410

redline smokeloader sew backdoor discovery infostealer persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

8254bad320e6efd4f780285492d5a5b3.exe

Resource

win10v20210408

redline smokeloader sew backdoor bootkit infostealer persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

sew

C2

185.215.113.64:8765

Targets

- Target
  
  8254bad320e6efd4f780285492d5a5b3.exe
- Size
  
  337KB
- MD5
  
  8254bad320e6efd4f780285492d5a5b3
- SHA1
  
  2a4f00307de0719241e47e5aa3cb8ed4aeda3f51
- SHA256
  
  aec980989772ede0dc405ab1f0cc49a0246daaa765a6edf93a54c8e146894546
- SHA512
  
  dd9deae7bae40a4d04267fcb2616e8f6e89686149c3e38e3ba9af24b6d5243e935270a3be82bcc4415c18b0e926d3a46ba57d6fa642426ecd37746ed3cf7e1ce
Score

10^/10

redline smokeloader sew backdoor discovery infostealer persistence trojan bootkit
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

File Permissions Modification

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

redlinesmokeloadersewbackdoordiscoveryinfostealerpersistencetrojan

behavioral2

redlinesmokeloadersewbackdoorbootkitinfostealerpersistencetrojan

© 2018-2024

Terms | Privacy